RA - Risk Assessment
- Controls Count: 11
- Controls IDs: RA-1, RA-2, RA-3, RA-3 (1), RA-5, RA-5 (2), RA-5 (4), RA-5 (5), RA-5 (11), RA-7, RA-9
Controls
RA-1: Policy and Procedures
Develop, document, and disseminate to organization-defined personnel or roles:
organization-level, mission/business process-level, and/or system-level risk assessment policy that:
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;
Designate an an official to manage the risk assessment policy and procedures is defined; to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and
Review and update the current risk assessment:
Policy the frequency at which the current risk assessment policy is reviewed and updated is defined; and following events that would require the current risk assessment policy to be reviewed and updated are defined; ; and
Procedures the frequency at which the current risk assessment procedures are reviewed and updated is defined; and following events that would require risk assessment procedures to be reviewed and updated are defined;.
Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
a risk assessment policy is developed and documented;
the risk assessment policy is disseminated to personnel or roles to whom the risk assessment policy is to be disseminated is/are defined;;
risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;
the risk assessment procedures are disseminated to personnel or roles to whom the risk assessment procedures are to be disseminated is/are defined;;
the organization-level, mission/business process-level, and/or system-level risk assessment policy addresses purpose;
the organization-level, mission/business process-level, and/or system-level risk assessment policy addresses scope;
the organization-level, mission/business process-level, and/or system-level risk assessment policy addresses roles;
the organization-level, mission/business process-level, and/or system-level risk assessment policy addresses responsibilities;
the organization-level, mission/business process-level, and/or system-level risk assessment policy addresses management commitment;
the organization-level, mission/business process-level, and/or system-level risk assessment policy addresses coordination among organizational entities;
the organization-level, mission/business process-level, and/or system-level risk assessment policy addresses compliance;
the organization-level, mission/business process-level, and/or system-level risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;
the an official to manage the risk assessment policy and procedures is defined; is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;
the current risk assessment policy is reviewed and updated the frequency at which the current risk assessment policy is reviewed and updated is defined;;
the current risk assessment policy is reviewed and updated following events that would require the current risk assessment policy to be reviewed and updated are defined;;
the current risk assessment procedures are reviewed and updated the frequency at which the current risk assessment procedures are reviewed and updated is defined;;
the current risk assessment procedures are reviewed and updated following events that would require risk assessment procedures to be reviewed and updated are defined;.
Risk assessment policy and procedures
system security plan
privacy plan
other relevant documents or records
Organizational personnel with risk assessment responsibilities
organizational personnel with security and privacy responsibilities
RA-2: Security Categorization
Categorize the system and information it processes, stores, and transmits;
Document the security categorization results, including supporting rationale, in the security plan for the system; and
Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.
Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. CNSSI 1253 provides additional guidance on categorization for national security systems.
Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with USA PATRIOT and Homeland Security Presidential Directives, potential national-level adverse impacts.
Security categorization processes facilitate the development of inventories of information assets and, along with CM-8 , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant.
the system and the information it processes, stores, and transmits are categorized;
the security categorization results, including supporting rationale, are documented in the security plan for the system;
the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.
Risk assessment policy
security planning policy and procedures
procedures addressing security categorization of organizational information and systems
security categorization documentation
system security plan
privacy plan
other relevant documents or records
Organizational personnel with security categorization and risk assessment responsibilities
organizational personnel with security and privacy responsibilities
Organizational processes for security categorization
RA-3: Risk Assessment
Conduct a risk assessment, including:
Identifying threats to and vulnerabilities in the system;
Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and
Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;
Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;
Document risk assessment results in security and privacy plans, risk assessment report, or a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);;
Review risk assessment results the frequency to review risk assessment results is defined;;
Disseminate risk assessment results to personnel or roles to whom risk assessment results are to be disseminated is/are defined; ; and
Update the risk assessment the frequency to update the risk assessment is defined; or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.
Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.
Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.
Risk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination.
a risk assessment is conducted to identify threats to and vulnerabilities in the system;
a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;
a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;
risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;
risk assessment results are documented in security and privacy plans, risk assessment report, or a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);;
risk assessment results are reviewed the frequency to review risk assessment results is defined;;
risk assessment results are disseminated to personnel or roles to whom risk assessment results are to be disseminated is/are defined;;
the risk assessment is updated the frequency to update the risk assessment is defined; or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.
Risk assessment policy
risk assessment procedures
security and privacy planning policy and procedures
procedures addressing organizational assessments of risk
risk assessment
risk assessment results
risk assessment reviews
risk assessment updates
system security plan
privacy plan
other relevant documents or records
Organizational personnel with risk assessment responsibilities
organizational personnel with security and privacy responsibilities
Organizational processes for risk assessment
mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment
RA-3 (1): Supply Chain Risk Assessment
Assess supply chain risks associated with systems, system components, and system services to assess supply chain risks are defined; ; and
Update the supply chain risk assessment the frequency at which to update the supply chain risk assessment is defined; , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.
Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required.
supply chain risks associated with systems, system components, and system services to assess supply chain risks are defined; are assessed;
the supply chain risk assessment is updated the frequency at which to update the supply chain risk assessment is defined; , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.
Supply chain risk management policy
inventory of critical systems, system components, and system services
risk assessment policy
security planning policy and procedures
procedures addressing organizational assessments of supply chain risk
risk assessment
risk assessment results
risk assessment reviews
risk assessment updates
acquisition policy
system security plan
supply chain risk management plan
other relevant documents or records
Organizational personnel with risk assessment responsibilities
organizational personnel with security responsibilities
organizational personnel with supply chain risk management responsibilities
Organizational processes for risk assessment
mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment
RA-5: Vulnerability Monitoring and Scanning
Monitor and scan for vulnerabilities in the system and hosted applications organization-defined frequency and/or randomly in accordance with organization-defined process and when new vulnerabilities potentially affecting the system are identified and reported;
Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
Enumerating platforms, software flaws, and improper configurations;
Formatting checklists and test procedures; and
Measuring vulnerability impact;
Analyze vulnerability scan reports and results from vulnerability monitoring;
Remediate legitimate vulnerabilities response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined; in accordance with an organizational assessment of risk;
Share information obtained from the vulnerability monitoring process and control assessments with personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared; to help eliminate similar vulnerabilities in other systems; and
Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.
Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.
Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).
Vulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.
Organizations may also employ the use of financial incentives (also known as "bug bounties" ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points.
systems and hosted applications are monitored for vulnerabilities frequency for monitoring systems and hosted applications for vulnerabilities is defined; and when new vulnerabilities potentially affecting the system are identified and reported;
systems and hosted applications are scanned for vulnerabilities frequency for scanning systems and hosted applications for vulnerabilities is defined; and when new vulnerabilities potentially affecting the system are identified and reported;
vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools;
vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;
vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;
vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;
vulnerability scan reports and results from vulnerability monitoring are analyzed;
legitimate vulnerabilities are remediated response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined; in accordance with an organizational assessment of risk;
information obtained from the vulnerability monitoring process and control assessments is shared with personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared; to help eliminate similar vulnerabilities in other systems;
vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.
Risk assessment policy
procedures addressing vulnerability scanning
risk assessment
assessment report
vulnerability scanning tools and associated configuration documentation
vulnerability scanning results
patch and vulnerability management records
system security plan
other relevant documents or records
Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities
organizational personnel with vulnerability scan analysis responsibilities
organizational personnel with vulnerability remediation responsibilities
organizational personnel with security responsibilities
system/network administrators
Organizational processes for vulnerability scanning, analysis, remediation, and information sharing
mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing
RA-5 (2): Update Vulnerabilities to Be Scanned
Update the system vulnerabilities to be scanned the frequency for updating the system vulnerabilities to be scanned is defined (if selected); , prior to a new scan, and/or when new vulnerabilities are identified and reported.
Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner.
the system vulnerabilities to be scanned are updated the frequency for updating the system vulnerabilities to be scanned is defined (if selected); , prior to a new scan, and/or when new vulnerabilities are identified and reported.
Procedures addressing vulnerability scanning
assessment report
vulnerability scanning tools and associated configuration documentation
vulnerability scanning results
patch and vulnerability management records
system security plan
other relevant documents or records
Organizational personnel with vulnerability scanning responsibilities
organizational personnel with vulnerability scan analysis responsibilities
organizational personnel with security responsibilities
system/network administrators
Organizational processes for vulnerability scanning
mechanisms/tools supporting and/or implementing vulnerability scanning
RA-5 (4): Discoverable Information
Determine information about the system that is discoverable and take corrective actions to be taken if information about the system is discoverable are defined;.
Discoverable information includes information that adversaries could obtain without compromising or breaching the system, such as by collecting information that the system is exposing or by conducting extensive web searches. Corrective actions include notifying appropriate organizational personnel, removing designated information, or changing the system to make the designated information less relevant or attractive to adversaries. This enhancement excludes intentionally discoverable information that may be part of a decoy capability (e.g., honeypots, honeynets, or deception nets) deployed by the organization.
information about the system is discoverable;
corrective actions to be taken if information about the system is discoverable are defined; are taken when information about the system is confirmed as discoverable.
Procedures addressing vulnerability scanning
assessment report
penetration test results
vulnerability scanning results
risk assessment report
records of corrective actions taken
incident response records
audit records
system security plan
other relevant documents or records
Organizational personnel with vulnerability scanning and/or penetration testing responsibilities
organizational personnel with vulnerability scan analysis responsibilities
organizational personnel responsible for risk response
organizational personnel responsible for incident management and response
organizational personnel with security responsibilities
Organizational processes for vulnerability scanning
organizational processes for risk response
organizational processes for incident management and response
mechanisms/tools supporting and/or implementing vulnerability scanning
mechanisms supporting and/or implementing risk response
mechanisms supporting and/or implementing incident management and response
RA-5 (5): Privileged Access
Implement privileged access authorization to system components to which privileged access is authorized for selected vulnerability scanning activities are defined; for vulnerability scanning activities selected for privileged access authorization to system components are defined;.
In certain situations, the nature of the vulnerability scanning may be more intrusive, or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning.
privileged access authorization is implemented to system components to which privileged access is authorized for selected vulnerability scanning activities are defined; for vulnerability scanning activities selected for privileged access authorization to system components are defined;.
Risk assessment policy
procedures addressing vulnerability scanning
system design documentation
system configuration settings and associated documentation
list of system components for vulnerability scanning
personnel access authorization list
authorization credentials
access authorization records
system security plan
other relevant documents or records
Organizational personnel with vulnerability scanning responsibilities
system/network administrators
organizational personnel responsible for access control to the system
organizational personnel responsible for configuration management of the system
system developers
organizational personnel with security responsibilities
Organizational processes for vulnerability scanning
organizational processes for access control
mechanisms supporting and/or implementing access control
mechanisms/tools supporting and/or implementing vulnerability scanning
RA-5 (11): Public Disclosure Program
Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.
The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability.
a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.
Risk assessment policy
procedures addressing vulnerability scanning
risk assessment
vulnerability scanning tools and techniques documentation
vulnerability scanning results
vulnerability management records
audit records
public reporting channel
system security plan
other relevant documents or records
Organizational personnel with vulnerability scanning responsibilities
organizational personnel with vulnerability scan analysis responsibilities
organizational personnel with security responsibilities
Organizational processes for vulnerability scanning
mechanisms/tools supporting and/or implementing vulnerability scanning
mechanisms implementing the public reporting of vulnerabilities
RA-7: Risk Response
Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.
Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated.
findings from security assessments are responded to in accordance with organizational risk tolerance;
findings from privacy assessments are responded to in accordance with organizational risk tolerance;
findings from monitoring are responded to in accordance with organizational risk tolerance;
findings from audits are responded to in accordance with organizational risk tolerance.
Risk assessment policy
assessment reports
audit records/event logs
system security plan
privacy plan
other relevant documents or records
Organizational personnel with assessment and auditing responsibilities
system/network administrators
organizational personnel with security and privacy responsibilities
Organizational processes for assessments and audits
mechanisms/tools supporting and/or implementing assessments and auditing
RA-9: Criticality Analysis
Identify critical system components and functions by performing a criticality analysis for systems, system components, or system services to be analyzed for criticality are defined; at decision points in the system development life cycle when a criticality analysis is to be performed are defined;.
Not all system components, functions, or services necessarily require significant protections. For example, criticality analysis is a key tenet of supply chain risk management and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders, regulations, directives, policies, standards, system functionality requirements, system and component interfaces, and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system, decomposition into the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system.
The operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities that such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system that contains the components and functions.
Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2.
critical system components and functions are identified by performing a criticality analysis for systems, system components, or system services to be analyzed for criticality are defined; at decision points in the system development life cycle when a criticality analysis is to be performed are defined;.
Risk assessment policy
assessment reports
criticality analysis/finalized criticality for each component/subcomponent
audit records/event logs
analysis reports
system security plan
other relevant documents or records
Organizational personnel with assessment and auditing responsibilities
organizational personnel with criticality analysis responsibilities
system/network administrators
organizational personnel with security responsibilities
Organizational processes for assessments and audits
mechanisms/tools supporting and/or implementing assessments and auditing